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(57)Abstract: 

PROBLEM TO BE SOLVED: To provide a mechanism for 
efficiently managing a certificate by adding at least one 
certificate which is fetched from a certificate database 
to each user account in a user account database. 
SOLUTION: When and account 320 receives a pair of a 
new user name and a password, user information 322 is 
updated. The newly set user name and password are 
inputted to PC 314 when urged and is sent to a proxy 
server 1 14 by a packet format by using HTTP. In the 
server 114, an HTTP server 330 extracts the user name 
and the password and a server module 340 executes 
acknowledging check by using user information 322 in a 
memory. When the inputted user name and the password 
are coincident, the user name is acknowledged and a 
user or PC 314 is permitted to access to the count 324. 
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Sft-fes'v'3 >Sr?6S:-f5i, ^e/^/UxV^^ l 0 6 
(4, ASWH(4, 7"o?v't-/<l 14i^loi»HD 
MLfy^^fl L> RAMlI#-r5'v'3i:Lt-f©7 
i/^^^ffll-So ±3ELfcii"9, HDML7y=fttlo 
XI4^tLJ^±^7J-K*^^ l 9, #*— Kf4, yjyf 

\"4y? ] J—>i i 6±ic^^ D-y^r^ yy°y^%± 

M7— ^ l 0 2{c*3tt5U y— ^©^WiffifflSrffiit 
(4iiK7J- KT*fc>9, «^iStL5 0i^-C h©->- 
tvfciift ir y> a yft-y°v9- y-V—;<bxm±Li-Z>o - 

[0 0 2 0] 03JCI4, x— r-!7— ^('*5Jt5flfe 

^;Vf^^©3o©Si^3 0 2, 3 0 4M306 

frZ&gLtol&tMrf'^ 3 060*11^ 3 10, 31 
2SU ! 3 1 4[' i 9#fig$ix5o 02H43J457 c o^v' 
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1 1 4-efe'9#57 p D^v'1J— '*r>W7 12 8 

H02, 7°o ^ 1 1 4S.tJ : 7 y y M 0 

fc^d-tSfc*^, ^'M^x/M* 3 0 2 H^^ 

[0 0 2 1] ^y<4 A-X'M 73 0 2<£><fc 5 ft^'^ 10 
A-X-^^fiT^-f * I D 3 1 S^fiJ 1 ? ^Tfc^So 

f/<'f ^ i d 3 1 6 nrnm^*?, iprK^t*- 

h#^©*&^£-:bi2\ 0iJx.lf , 204. 163. 165. 132:01905 
T'fet5#5 0 r."T\ 204.163.165.132 flU PT KW* 
■Cfct), 01905##- h#-§-Cfc5o ¥*4* I D 3 1 
6 liM^PA^t ID318tBSlU JPA# I D 3 1 8 
11, T'o^'v'ir— ^1 1 4{C*5V>-C-3-— Ir'Ttf^Vr- 3 
2 4£r5tir£-£5;i tCiot^^'f ^3 0 2 
£«tt{t£-£6^)iI<£>-£R£: LT^n^ i/?-s< 1 14 
©tt^rt y7^J:!9»SE$ix5. JPA# I D3 1 8 20 
it, #tf*:il, AT&T!7^f l/7f- f7iC J: 5861234 
567-10900 _pn.mobile.att.net <75ft2& £ 9 tfSo JPA 
f ID318 (i^e/<^ A-7^<-f 7 3 0 2 CD-M <Dffi,mT 
XhZ, l-V^XLtvtf, #^^^^3 0 2, 3 
0 4M3 0 6fi, -?xi9*/y— /<1 1 4tCi3!t5 : S-3- 
— IfTTJ -7 V b Sr^-TiPA^ I D (c^-fS ^^'tt<D 
-lof^M^ I DSrWt 5» WTcot^il, 

f^^3 0 2S.t>*Mil-T5T^'7^h 3 2 4(C_#, 
^<7)ia^H7°n^^-/^l 1 4 ilR]B#(£iHf-f SlfiC 

ro* /<>f /v^/M 7 trpi^^jgffl $tt5 r. t 30 

[0 0 2 2] 7t>Vy V 3 2 4(1, f'W^ I D 3 1 6 
XftflnA^tl D3 1 8tdJ; "9fgL^$H, URLcDl? 
ft 7 Ki^SS^l-J: 9 ^JSftS !K * 

^3 2 2, WRItV * YZ 2 0RV®% h3 
2 6frbteZT'~?ffimX*hZ a r~T\ a.-if1t#3 
2 2li7#?^h«fifcis 3— !f£t^7!7-H©15 

URLI1 ff'l* tl www. att. com/Pocketnet (D'B'k t 

% y Ztl\$^ x7^^M0 2MT&T!7-ff U^t 40 

D7h 3 2 0l±, loXli^tl^iWCA^i 

SHfi^f- U 7 h 3 2 6 ll^-W y 7 b ZtlZ'IX 
<D*~- itUm^V * h 3 2 0 ICiottS^BEW^^MlS-f 
So IIE^«y ^ r 3 2 O^23l't3£-C<7D_0J!#{±, flMfc 
#j[^£cD7#£y hiMilLTV^ -ttttfc, 
^vir-^i i 4 5 ft 3 -— -y-'TTJ ^"y V 

&f'-?^ 3 2 8l:ft»U ^-Hfr* 1 ?^ h 
(1, |^-©**y7lCj!mAL7 p n^f-- /<1 1 4K«fc 50 
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TV^fcfe, lo<7?7#?y bi'&tf5fll^ift!iro7 
[0 0 2 3] CAa»fe3E93*&]&ftU t^-t^lW 

a»a»5 0 ^/<-l'^T/^7*ftfflL-C_Bjl»^i&#i-5 

(certificate manager module) ) CMM3 4 2/5*11 
^•x-*^-*^ #£L<llx-*-<-7 3 2 8(C 

ftjtL, loX(Wi?>CAi^«, &&mmt%f£ 

■t h tz * 1 ox ll-^^i »!EB^ * * £>„ k -f 5 * ^ < 
^x/^ 7 ^r^ttf b-T 5 * t , a- if T * -7 > r- # 
f^fi£*H5S^, fiEBJ*S*<f-^ (certRequest ) 

»7- ^ 7 6>_ S^BEK#Sr 5 * 
CMM3 4 2 ['jlfettSo SEW*^-^^— 

wmzfrtzMmmz%.feirz>k, cmm3 4 2h, 

-Y 7 I D 3 1 6 iftfe^TTJ^y H#«Srf<fJp-r5w 
ioT, SEW#4r#^»T*!7^KcS!l>3ST5o 

Ij-fett, SEW#y ^ b 3 2 0|iSi^5. ^rolffll-, C 
MM fiE^ ff - ^ 7 © t T'ffi ffl ft i S SEW « 

fi2 0 0aTT?fctt«> CMMHHTTP*y a -/U3 
3 0W, 7>K^-7 M 0 4Srj>bTiii53ftCAi 

■f C f-ftffl X # 5 g * * Sr*fcfti- 5 * 

g S fEK»7JS&ffl Rlfg t ft o X ^ 5 = 
[0 0 2 4] Wiifl+^ft^^t^-T-f^^^-^ 

ij^yy^mmmzwrn-^'^k^^kw^, *is 

T*i 9 , 3-ifT7J !7 y h ttstt 5SEW*Sr7 p n ^ Vf- 

3>-t°^-x^ y^/<7— „w^*y *s*i"5-ift 

[0 0 2 5] KW»JWJt*Hi:H3iL*:t© 
Sr4^ htitz^—Z^^XWa ■fZyt<D74 ¥>T 4 x 
-f SrftSEi" 5 MS 3 ixfc We «J #5 C A lc i o 
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i#Ott«a-^4Kl|EW»«:*ffi-<5. CMM3 4 2 

K*s» h 1 0 4|:g^$ixft, W^liPC3 1 4 oj; 5 
ftayfa- ^Sr^LT^/W/v-rV^^ 3 0 2 icKlii 
t53.-f T*!>^ F 3 2 41:0^^5. -ft 
}i x ffil? il' www. att. com/Pocketnet <7> J: 5 fl^-—fTi} 

V Y 3 2 4{Cn^^-r5r 9^(££i"l5o T* 10 

e?yF 3 2 4^ff^£ftfc3.-f^£oT7?-fe;*£;ft 
TWSrt £*I81-5fci?>^ a— if* Ktf> 
i 5 fctefflfc#0>*&;8Sg#§ixSo a-f a s http://ww 
w.att. com/Pocketnet ^ffifflLTPC 3 H^URLl: 
WtftfrZk. HTTP*^-^3 3 0^Ltt-^ 

[0 0 2 6] 7*^yK:ttttctafa!)f-fSrM 
Sfc»K» 3--if^i:/<^!7-m3— 9«fcJ:9^±fc 20 
ta^ttSo */<>f/Pf f /<>f^3 0 2©3-- |fj±, HD 
ML^9 91f«r**.fc J fc'<'f*'9*'<<'f* 3 0 2SrfflV^T 
yn^^t-^l 1 41i*5!t?>7 : VW^T*^^h 3 2 

fcifttf, 3.—+Ffi, ?7^7>'h^-/V3 3 2|:U 
RLtf/M^ I D3 1 6M45IMUDP^y? 
-7i- X3 3 6^&a&-£Z>tzlt>\^ ffife(D5—Zffl 
U UDP^y^-7x-^ 3 3 6iai:HDTP?rft 
fflLT7'D^->t-/q l 4^»iijf-fe j/->3 ^^tSIaE 

^W^*l±, ^n^i/lJ— /<1 1 4{Cjo(t5MJS 30 
f5UDP-fy^-7i-x 1 2 8 J; t)^fi Stt, X 

-/^>?3.-/W3 4 OtCtUUff^ixSo -tLT, 

^ /< 1 1 4 14, /Vf*/^ 7 3 0 2 I'iiff £ 

tz£><n^-— K<£>*&£> 3-— U**»f>5*i" 

(i, ^v^/Vx/^* 3 0 2^»6><D®*[il*3rt '57 r '*>< 

7 I D3 1 6 feT/n^lJ— /^l 1 4[^*3tt5T7J^> 40 

h 3 2 0©MJtlfc7>^^ I Dt<D~-m'X.'0nh 
tltztDX'hZo 

[0 0 2 7] Z<Dfrt><9, *rtf>ig&«U frLV^-if* 

v h£g#-c«l-sr t^fp^-rs,, T7J-?>h3 2 

0 #§T Ll/^.—- KW^atrSffi"5 T 
#-7^K -T ft*>*»^-— 9* AM* 3 2 2JiHfr£*t5o S 

7 7f^Ix.t^5PC3 14^fJSU HTTPStf 50 
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7*7yb^URLOTLtHft r > 3 yfcSfejt 

SHfci:#l-PC 3 1 4icArt£ft, HTTPlrtfflL 
trn^yt-^l 1 4^<fry yy*—?-y yx*i£b 
*t3„ 7"a^->f-/qi4m HTTPf-^3 3 

3 4 0(± N ©(p£>3.— HJMf$R3 2 2&ffl^T*f& 

^-gr-ftttf, *»£ft, 3-— ifXHPC3 1 4J4T* 
7>h3 2 4[CT^-fe^-T5 ' kZVfQ&tl&a 

!)^h3 2 0i*-!J^h3 2 6 £UrT*# 3» HTM 

cMMiczvmmzfrzmmizMz-x, &&x 

ft 5„ 

[0 0 2 8] 0 3, 04 #.1*13 5 Wi, ^WA'TV^ 
7 3 0 2©3-~ -tftSF^©CAi>f>|IS#Sr5* 

1-50W J *$;h/tV5o 0r£©^— risjf £ftfc^ ^ 
-f^W^3 o 2fiHDTP£{£fflU ^Ma-t^ 

: 30286123456-10900 pn.mobile.xyz.net 3r7F"f" 

7* l >ybfflURL4rfifflLt7 , n?->t-^l 14C 
}g$H-3fcS6»5*£ff 5=, 7^-f^I D86123456-109 
00(4-tcDS*^fettW$ft, itf^^ I D86123456 
-10900('J;<9*£ft5T7J?y h3 24^fc5rt?r5t 
Bi"5= Stf&t'Ssvt, t^;U7^^3 0 2©a- 
1ffi3.— iF£ t/<77- K©iffl.£(££ft5o 3— Hf£<t 
/<77- Kfi^'W/^'V ^3 0 2i^Ti3^y y 3 2 

4HT^ir7-rS/c*i'^^tff8T-/,c<, 3— yasa 
7- K£ Art Lfc ttfttf, a-fT*^h 3 2 4l'fc 

itS3.-if^i:/<7y- y*ti.m— <o£i.xhz>„ ^-^ 
t>m±te3.—f%ts<*y-y\ MZ-tt^-^Z" *s 

7" , /^y- K" 1 2 3 4 5 6" (Om&Atl-f 5 t , 
7#^y h 3 24H3&fLV>3.— tf^i/N^!7-K^3Efr 
Sft5„ 3.-ifHT7J^^h 3 2 4%mi¥1-Z 

tztb\Z, 7^F^7 M0 4(75'4 :l (7)V^^i ; 53y t"^.— 
^^ttT< C^^-ct5„ PC3 14(4, 
a^l-TTJ^^ h 3 2 4^WH5fc*©M7 7 

r >f i ^rii^"Cl/^ 0 PC3 14I1 t-^^^-^3 
4 0<T>45<£>7*— 3 5 4 75URL, fjjxtfmobil 

e.xyz.net^fJfflLT, ^P^i/f- ^1 14|r^tt* 
j£X<D=L— t>^y h--©HTTP3^ ^^r?t 
Sft-5 0 ^.-ifil, 3.-- !figt^!7-Kroft*PC3 
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LT" 1 2 3 4 5 6" SrA^3 Lttltfttftt A 

^35 4\tTj3V>h 3 2 4 fc£> itttfcl" 

5 0 S^y? 1 *)*^ PCXf±3--ifW:T*^>'b3 

2 4 —CDT^ ir *4-ff<5J S*t/jiV\ A^J^ttfc^-f 5 ^ 
£a**!7 — K*7*!»'F 3 2 4^*5 14 5 t><oi— grt 
*Ui, y-h?^ 3 5 4 (IPC 3 1 4^ffBj$r^-^ 
5„ P C 3 1 4 ©a- if f4, #tOCA3 5 8«URL 
^4x5^tCioT, #f©CA3 5 8i»?>!ifO|E 10 

[0 0 2 9] #£8©--o©Hl6<oj&ffiK.k;h,rf, 
ft y 7, h l41PJlft7 v -7'> 3 6 8 ^©#-f t LTH 

fflft'f yfy^3 7 Ott:, £-C©SE8»fc, SEHft^ 

»©URLiH&-f3*frJS1-3URLy;* h 3 7 2£f& 
So fcSCAi^BHUft&gttAix 
3^<o^©-y— e^iT/iM h^fcSo ww 
w. financial, com \C t. *)M$H£jlriZ>&M<Z>9 ^J^M h 
(4CA S l\c£*)m2>&tlZ>Um$tV>%-&k?>o S# 
-CT*!>^h*^i-SwttCj;-o-C, a— if»4, CA 
S l*»C>©IEW»SrW-S*-e#, ^©SEHftfcfiES 
»x-^>3 6 8IC«< r JriS-CtS. £roftJBte*5^ 
X, ^y<4 )VT^<-i ^3 0 2 tl www. financial, com ^<D 

z2*t*s3>*&iLlrZ>tz.)b<nig$ii:mtirhe www, fi 30 

nancial.com a^^SSt^^P ^ ->f-^f/^ * 1 

l 4£T£{a£*t ; 5£, URU±ftj£1-5BE9J», 

tl5„ CA S 1 tiSSEK^^fflV^-C, fWA'fV* 
-Y* 3 0 2 ll www. financial, com ICk-oXWifti&tlZ) 9 
3:7*^7 5. CMM3 4 2iao 

T&#£*t*:EW#3 8 211, #<?5 7^7*iM hTS: 
»tAttfetb5-)RW*tOt)©T?fc!?, #S«URLt 
M^ttbTV^«cv\ av^x.n«, SEW*x-^3 6 
814, a-— tf^J:o-CWBiJ^8***t5, 3 7 6, 3 7 40 
8 5.^3 8 0lc4oT#RS§n5 4 54, #<^WSW 
BEWftfc, CMM3 4 2tiotSiW^9#Sil5, 

3 8 2lcJ:oT#fl8SixSJ: 5*, 1 oXf4^*t£Lh© 

[0 0 3 0] 0 6I4CMM3 4 2 1:1*5 
-^>- h<757*n -ytrnX-hZc ±j£U5: <fc 9 CMM 

(4fE9!ftT-*^-*K@S&©gSEWft£#f£U 
/h* < <e5t-f <*t, CAi^HTTPt-/<3 3 0?: 

mLxmtctemmzfonistiiftz* cmm3 4 21:1*5 50 
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0 2^ttft^5i- ^©Ttf^MiloXtt:*:^ 
£*±©!EKS£o— K-T5 4 5l-B*£ft5c §*EE^ 

TT'fc5r t?r»ai-5i:, xyv?y4 0 2li, S^S'J^& 
±J&»4 0 4Xf4DNfe£3§SC, £j£3it5*rL^E9! 

[0 0 3 1] ^SiJ^f4, CCITTX. 5 0 9^2Pi'*5 

»45^^s;©«Bu-efc5o »&f4ioxf4*;}xy± 
roHiiKB'J* 0 , #&§*!&SiJ£ (4 1 oxiitfiW 

-hCOStSffliK (attribute-value assertion ) 

£9, #J;tl4\ CountryName (H£) = US , Organiz 
ation (|E^) = XYZ, Inc XteOrganizationUnit (ffit 
^-=Ly h) = XYZ Service Division T'fe5 0 ifcS'J£ K> 

(tffltt, x. 5 o ot=v hy y])-\z.&ttz>&m% 
mi-rztzftx-h *) , r r-e, x> i^ h y y y -t4, 

tTa — if— tr^, SlFt^-^TK^Of^l' 

^ hv-zn^i-ztcwzmmzfix^Zo 

^ h y (4PgS#Ji-flfJ&£*vt^5 0 -ff^h, hy^K 
i4ffl^IiEirH^fei9 x Hi4W J ^tfi*{c^»tt>tL > 

? h y 5^y— 1-*5»45 1 o©y — K^ibTte^/ — 

co/<x-efe5o ^fr©iigiJ^{4, y y-co/u- hA^# 
±x<Dmm&mz~Mizfii4,-fz>m&zim-i-z>z.kx 

[0 0 3 2] «S'J*^^«4 0 4JC«t»?4^$iX7t^SlJ 

y ^ ^ tt— JRW t~ * A ^ * fc JP A# I D t <r>m& 
Xh<0, WZ-li. 861765228-9 Xfo ►) , ^-Y 

if ID (4, ^-fA^/W^lttl 
^STP.nSo BfcS"J*7"U7-f v$7*&%i4 0 6*»P> 

y*- * ^ S3 tt 5 # g S ffiEW • tt-t i #(^* Su 
[0 0 3 3] |EPJ#^>'v 5 >'4 0 2(4, 'Jtffl*—tU$5 

U<HKP^^«Sr?Tffii-5 0 «!&Sii5*i4SflM8 
4rffl 1X4^ § tt 5 :3 r- [c^V^-Clifffi *~ ^^fiSc-f 
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IZtd^X^M^tl^y-i-fy V <D±y H±, Marine Pa 
rkway, Suite 500, Redwood City, CA 94065 l'ft0f^' 
ffoRSA Data Security, Inc \Z «fc 9 #$&£tl5 0 

^ttfc^-ft-flxfttt, liioionooooi... ooioi 
tsy-^^s: ift<fift"bftv\ -E^^^r- 
a»a j 7>r ?y yw?h \at cTit«$ftftfttLft*ft 

ft, h7t y^flH8a»?>(D-^|P]^y>a 

ft/^v^P^w-oo^lft, I M<Dm*h Sialic 

&ft, 5Rv^T*^3.oaif^iSrff5o 
[0 0 3 4] fiE^fr^v^ o 211, SEE*^-*"* 

*©W, KSfxy> ? >'4 0 214, SEH*3 
M(75tI2p7^-— 7? hT'feSo CSRft, ttlfcft, C 

a ± o r sew $ at 3 <am 1 Z 1 Ma-r 

HTTPMLTHTTP ; t^-/V3 3 0^ILt 30 
CA(Ci£ffi£ft5o 

[0 o 3 5] ra»5*£gff1-£i, CAft»{££;Jx 

LT, CAI±|iE0^»JS^^%if1-5 o ^'[~ftW££tt 

U ff ft 7° d -fe * 1P With £ ftft fttttf ft e> ft 
0 2ft§:{f Lfc5Efl#;&»e>K9J£S:«lttJU BE 40 
#!7-f /7 y 4 0 8 SriiLTIEfffSo '»B#^T\ * 

[0 0 3 6] ASf'<4*3 0 2^ffittft$H5 

SE9^>^>4 0 2l±!iE^#7=-*-<-*^ 
^iftBEKSSrK^L, x^-r* I D tmMtttfZo % 
WfHiittftft, device_cert_map _tbl tPfffftS, 50 
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&iL<J47 p n^v^f-— y<l 1 4 (DR AM^f-feS^ 

[0 0 3 7] |E^*fftiM (CS) 7^77^ 4 0 8, X 
ttCS7^7*7!) USE W #T - £ tS-T 5 fc * 

5o EW»*ityxh (crl) ft, ^(Dmmmnu 
m~mit£titzmm(Dy * hx$>z a tmm.mw&m 

lh£*tftft*U£ftf>-f, CRL|:g^tl5^©lftiiV^ 
<o*»&5 0 fliitf, iEB^«ro^7?#£^tt5=3r-ft» 
ftfctvfc*»t*Ptff, BEg|»©4>T-#^$it5^— ftt 
kfi**-&ffiffl1-5*ll8*J#fcftl^fc L*bftV\, «t 
^PHaiift, *-tB*i-«3-— ^45* " xvz^tt 

^<£>#l±ft, y-fe-S?^** 
S-frfc<ftV^c^5o &oT, *<73£ttftCRL£!£BJl 

glifc $ ttT l> ft V^»Srfflia»» 5 * I* BBS-f 5 C R L 

*c75Btfa(ca^ 5 f£ft©«i^fc5^if 5 i^s $ 

tt^3t»»S5't4[-ft?>„ CRLft, CAl'ioTf*^ 

%Stt1"S 0 L*>Lft#t,, «S«iftlES»ttv^ft5» 
-g-tSftAtifetlftV^T', CRLftmffi*?AftliE0yi» 

©^sry^hL-rv^5 Q m±^Mcmmm^^nm 

PS0 4rS#'fcB#, ^tlftCRL/i^^ttSo CRLft 
^»LT^$n^^\ CRL©£*JtfiKBnSSfc»>fc, 

-^•y--C hT'feSo 
[0 0 3 8] iIBJ!#7^y7 y 4 0 8ft^roi 5ftCR 
L^rgflL, CMM3 4 2^ioT#t^f$tt-C^5BEK 
*^y ^ M-feSi:, mm^^s~s'y ± 0 2i'^ffi5rif 
5±5l-a^1"5o CMM3 4 2Ji@3£»K)iSSEW* 
*^i-5BEK#7*-^"<-^*<ii#-t"5o CMM3 4 2 
^liEBj!*^-^^-^^^^!!^** 3 -— y"T7J I7> h 

BBseft ft 5 1 # , * « mmn » e> *tfc sew ♦ ft -c* 

ftfttUiftP>ftV^„ rftft, CS7^y'7 y 4 0 8£ii 

*^<— * i» £>fi# S *bfcfcW»# i: K4» < c R 
L±[rfetift\ KI#StifclEW*H»-CP>ix, *<oSEK 

7*7vf !iM«#ft btizmi- , si'c S7^7*7 y 

4 0 8©(fT-*fT§tt5. CRLSrfflV^cfig^-pSftP 
PWttKTfo^tfSr tftSll^l-ftSfif^ttSo 
Hg-a-H«f'^34^^XftH-^*ft> JfrC^-C**/^ 
/U^/M^4 1 6 i;^It7"B^->t-/<l 1 4fi"C 

[0 0 3 9] *5SK©^l£©^li^J:ttfi, f+»©y- 
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in () B8gc#, HTTP^7^7y l^-X©g#©f- 
— tf^Sri-Sfcfeti^f?*^ t'S' K££j£1"5Initiali 
zeiV^p^SM^BBSttJ: 5 UJJWft § ftfcTCertEngine * 

U gEK#Sr^-f-5ytJ?)^TCertHttpProtoWt><DGene 
rateCertSrHf-S. ^O^VyKli, |EH#:f— *©fc* 

^-^^-^©^©frfc^V h y Sr^i"5fe» 10 
(IlTDBCertPool ^ffiffl1"5o 
[00 4 0] GenerateCertSgffcli, WW*4ri»4»fe*f 

bSfbV^M/SMfi*- ©ft*S#"t"5. GenerateCert 
liC S RtiIt5t6twO*»*«i Lfc. *L 
X, ^tUl, THttpCertRequest^^WSendCSR ^ V y K 
Sr&fflLT, HTTP±T-CA^(7)g*5r^ff-t-5„ BE 
m$&%&CAA>(b>i&£tlZ>h. TDBCertPool Srffiffl L 

[0 0 4 1] g SSEW*^- ?T*Vy hfcililtttt 20 
fctV^^S^fc^ t> TcertCreateCallback <73<pCDHand 
leCreateCcrt^ yy KaSPfVWSixS. *LT, ^©^ 
y y K(idevice_cert_raap _tbl <D$><D%itztj:^y h 
y &ffr£-f Sfcftt-TDBDeviceMapOtf'Wli^cSrl^-Si. -t 
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CLAIMS 



[Claim(s)] 

[Claim 1]A client device with poor (thin) plurality connected with a proxy server via data 
networks sake, It is a method for managing a concentration certificate in this proxy server 
device, This method holds an accessible free certificate database with said proxy server, This 
free certificate database has two or more free certificates published by certificate authority 
(CA), A means certificate has a corresponding public key and a corresponding secret key each 
one, and this method holds an accessible user account database with said proxy server, This 
user account database has two or more user accounts, said — each — a poor client device 
being related with one of two or more user accounts, and, A device ID by which each user 
account was assigned to this user account, A method, wherein it has public presentation, a list 
of secret keys, and a list of certificates assigned to this user account and this method adds at 
least one certificate picked out from said certificate database to each user account in said user 
account database. 

[Claim 2]Maintenance of a certificate database in said proxy server, receiving a certificate 
demand, when the number of free certificates in said certificate database is lower than a lower 
threshold, and generating a new certificate — this — generation of a new certificate, this 
generating an identifier for a new certificate — this — the new public key and the new secret 
key for a new certificate, [ generate and ] said certificate demand was transmitted to said CA, 
and this certificate demand was generated — this — a method according to claim 1 of 
consisting of having a new public key, receiving the new certificate signed by CA, and putting 
said new certificate on said free certificate database. 

[Claim 3]Maintenance of said user account database, If a new poor client device is activated, one 
of said free certificates will be acquired from said free certificate database, A method according 
to claim 1 of building the new user account relevant to a new device ID and new member ID, and 
consisting of relating said acquired free certificate, a corresponding secret key, and a public key 
with said new user account. 

[Claim 4]A method according to claim 1 of having further updating said free certificate in said 
free certificate database, if a certificate update request is received. 

[Claim 5]A method according to claim 4 of consisting of updating a free certificate in said free 
certificate database, if said certificate update request is received removing an invalid certificate 
from said free certificate database, when this certificate update request is a certificate cancel 
list. 

[Claim 6]A method according to claim 4 of consisting of updating a free certificate in a free 
certificate database, if said certificate update request is received deleting a certificate from said 
free certificate database according to an insert/delete query in said certificate update request. 
[Claim 7]if a user name and a password which were newly set up from a poor client which has an 
effective device ID are received — this — a method according to claim 1 including updating a 
user account in said user account database related with an effective device ID. 
[Claim 8]Said user account in said user account database is the accessible method according to 
claim 7 by a computer connected to said proxy server via the Internet to said newly set-up user 
name, and a password. 
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[Claim 9]A method according to claim 8 which must be supplied in order that an effective user 
name and a password may access said user account. 

[Claim 1 0]A device characterized by comprising the following for managing a concentration 

certificate in a proxy server device on data networks for two or more poor client devices. 

A certificate administrative module for this device to generate a free certificate. 

A free certificate database connected with this certificate administrative module for storing this 

free certificate from this certificate administrative module until it reached upper threshold. 

A user account database. 

One of said free certificates in said free certificate database. It has a certificate quota module 
for relating with the new user account in this user account database related with a newly 
activated poor client device, Are accessible by said proxy server device in said user account 
database, this user account database has two or more user accounts — each — a device ID and 
a certificate list in which a poor client device was connected with one of these user accounts, 
and this user account was assigned to this user account. 

[Claim 1 1]The device comprising according to claim 10: 

A certificate engine with which said certificate administrative module communicates with said 
certificate quota module. 

A name generation machine which generates an unique identifier for a new certificate. 

this — a key pair generation machine which generates a secret key and a public key for a new 

certificate 

this __ having a certificate demand module which communicates with a certificate authority for a 
new certificate — this certificate demand — said public key and said unique identifier. 

[Claim 1 2]The device according to claim 1 1 with which said name generation machine has an 

identifier generation machine which combines a time stamp and member ID. 

[Claim 1 3]The device according to claim 1 2 which will update said free certificate database if 

said certificate administrative module receives a certificate update request. 

[Claim 14]The device according to claim 13 with which said certificate update request has a 

certificate cancel list. 

[Claim 15]The device according to claim 14 with which said certificate update request has an 
insert/delete query further. 

[Claim 16]A computer network which connected said device with said proxy server device, The 
device according to claim 10 with possible having further the client computer connected to this 
computer network, and this client computer accessing a user account in said user account 
database 

[Claim 17]A two or more poor client devices connected with a proxy server via data networks 
sake. It is the method of managing a concentration certificate in this proxy server device, This 
method holds an accessible user account database with said proxy server, This user account 
database has two or more user accounts, and said poor client device is related with one of these 
user accounts, and each user account, Have public presentation and a list of secret keys which 
were assigned to a device ID and this user account, and at least one certificate assigned to this 
user account, and this method, How accessing a safe server connected to said proxy server 
device from the 1st poor client device using the 1st certificate assigned to the 1st user account 
relevant to the 1st poor client device. 

[Claim 18]A method according to claim 17 of holding an accessible free certificate database with 
said proxy server, and this free certificate database having two or more free certificates 
published by certificate authority (CA), and having a public key to which a means certificate 
corresponds each one, and a corresponding secret key. 

[Claim 1 9]Maintenance of a certificate database in said proxy server, receiving a certificate 
demand, when the number of free certificates in said certificate database is lower than a lower 
threshold, and generating a new certificate — this — generation of a new certificate, this 
generating an identifier for a new certificate — this — the new public key and the new secret 
key for a new certificate, [ generate and ] said certificate demand was transmitted to CA and 
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this certificate demand was generated — this — a method according to claim 18 of consisting of 
having a new public key, receiving the new certificate signed by CA, and putting said new 
certificate on said free certificate database. 

[Claim 20]Maintenance of said user account database, If a new poor client device is activated, 
one of said free certificates will be acquired from said free certificate database, A method 
according to claim 17 of building the new user account which has a new device ID and new 
member ID, and consisting of relating said acquired free certificate, a corresponding secret key, 
and a public key with said new user account which has said new device ID. 
[Claim 21] A method according to claim 18 including updating said free certificate in said free 
certificate database if a certificate update request is received. 

[Claim 22]A method according to claim 21 of consisting of updating a free certificate in a free 
certificate database, if said certificate update request is received removing an invalid certificate 
from said free certificate database, when this certificate update request is a certificate cancel 
list. 

[Claim 23]A method according to claim 21 of consisting of updating a free certificate in a free 
certificate database, if said certificate update request is received deleting a certificate from said 
free certificate database according to an insert/delete query in said certificate update request. 
[Claim 24]if a user name and a password which were newly set up from a poor client which has 
an effective device ID are received — this — a method according to claim 1 7 including updating 
a user account in said user account database related with an effective device ID. 
[Claim 25]A method according to claim 17 by which said user account in said user account 
database is accessed from a computer connected to said proxy server via the Internet. 



[Translation done.] 
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DETAILED DESCRIPTION 



[Detailed Description of the Invention] 
[0001] 

[Field of the Invention]This invention about the data security between the server computer in 
data networks, and a client computer, It is related with the system which manages the digital 
certificate for the 2-way interactive communication device on data networks in a proxy server 
especially. In a 2-way interactive communication device like a mobile device, a cellular phone, a 
ground line (landline) telephone, and an Internet device controller, Generally, computing 
resources, such as computing power, a memory, and graphical display capability, are restricted. 
[0002] 

[Description of the Prior Art]The trend of a rapid growth in the Internet is electronic commerce 
technology. Electronic commerce technology is the integrated concept which took in the 
following together and was designed. That is, it is the dealings support, the order and the supply 
supporting system, the settlement-of^accounts supporting system, the management information, 
and the statistical report system for the broad business support service of a field, goods and a 
product, the elegance of the customized product and special order, and service, and these are 
altogether carried out via the Internet. However, it is known well that the Internet is the opened 
international network of the public of the computer in the world by which interconnection was 
carried out, and an electron device. When the capability to transmit and receive data safely 
performs electronic commerce technology on the Internet, it serves as a fundamental demand. In 
order to conduct business dealings on the opened network, a company or the organization has to 
have an efficient and reliable method of establishing the identity for protecting oneself and a 
customer from injustice, and reliance. Similarly, the customer needs to have firm belief in the 
personal information which may send to the Internet being read by nobody other than the 
company of a transmission destination. 

[0003]One of the efforts which are advancing in order to guarantee the individual communication 
or business dealings between the sides attested by those [ two ]. It is using the digital certificate 
connected to the pair of the electronic key which may be used in order to encipher the digital 
information transmitted [ identities / two / the ] in the Internet top and to sign. A digital 
certificate is contributed to preventing others from making it possible to confirm the opinion of 
someone of having the right to use the given key, this becoming the attested user, trying to clear 
up, and using a fake key. By being used with encryption, a digital certificate provides the solution 
of more perfect security by checking the identity of all the participants who participate in 
dealings via the opened network. 

[0004]The present composition which uses a digital certificate is tying up between a client 
computer and two computers of a server computer on the Internet. 

Both computers have an own certificate physically, respectively, and this means that the 
memory space for holding a certificate is required. 

When one of those certificates becomes invalidity (expiration, cancellation, or use is impossible), 
the computer which has the invalid certificate can acquire a new certificate from a certificate 
issuing organ. 
[0005] 
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[Problem(s) to be Solved by the Invention]However, as for the acquisition process, time generally 
takes several minutes, and it requires great computing power. When the communication session 
between two computers is established, by consulting a partner's certificate, the two computers 
of each other are attested and suit. If attestation is successful, a session key will be generated, 
the session key for enciphering all the information which interchanges between the two 
computers will be used, and a communication session will be started. The authenticat.on process 
requires computing power great again. 

[0006]When a client computer is a small 2-way communication device like a mobile computing 
device, a cellular phone, a ground line telephone, or an Internet device controller, it is hard to 
apply the above-mentioned composition. In order to make portability and mobility increase, the 
greater part of such a 2-way communication device is small, it is light, and power consumption is 
designed small as cheaply as possible. By that cause, such a design is often considered to be a 
poor (thin) design, and computing power is restricted dramatically, and typically. It is 1% or less of 
what it has in a typical desktop or portable computer, and the memory space is generally Zt>u r\ 
bytes or less. That means not having computing power required when the poor client device 
does not have the excessive memory space for storing many certificates but one becomes 
invalid [ the certificate currently held ], in order to acquire a new certificate in real time. 
Therefore, there is the big necessity of providing the poor client with the mechanism in which a 
certificate is managed efficiently. 

[0007] ... 
[Means for Solving the Problem]In order to attain the above-mentioned purpose, this invention is 
constituted as follows. A client device with poor (thin) plurality by which this invention was 
connected with a proxy server via data networks sake, It is a method for managing a 
concentration certificate in this proxy server device, The method holds an accessible free 
certificate database with said proxy server, This free certificate database has two or more free 
certificates published by certificate authority (CA), Have a means certificate each one and a 
corresponding public key and a corresponding secret key again, The method holds an access.ble 
user account database with said proxy server, This user account database has two or more user 
accounts said — each — a poor client device being related with one of two or more user 
accounts and, A device ID by which each user account was assigned to this user account, It has 
public presentation, a list of secret keys, and a list of certificates assigned to this user account, 
and the method consists of adding at least one certificate picked out from said certificate 
database to each user account in said user account database further. 

[0008]It is good also as composition following to achieve the above objects. On data networks, 
for two or more poor client devices, this invention is a concentration certificate in a proxy server 
device a device for managing, and this device, Until it reaches a certificate administrative module 
for generating a free certificate, and upper threshold, A free certificate database connected with 
this certificate administrative module for storing this free certificate from this certificate 
administrative module, One of said free certificates in a user account database and said free 
certificate database. It has a certificate quota module for relating with the new user account in 
this user account database related with a newly activated poor client device. Are accessible by 
said proxy server device in said user account database, this user account database has two or 
more user accounts — each — a poor client device is connected with one of these user 
accounts, and this user account has a device ID and a certificate list which were assigned to th.s 
user account. 

[0009]It is good also as composition following to achieve the above objects. A two or more poor- 
client devices by which this invention was connected with a proxy server via data networks sake, 
It is the method of managing a concentration certificate in this proxy server device, The method 
holds an accessible user account database with said proxy server, This user account database 
has two or more user accounts, and said poor client device is related with one of these user 
accounts, and each user account. Public presentation and a list of secret keys which were 
assigned to a device ID and this user account, And it has at least one certificate ass.gned to this 
user account, The method consists of accessing a safe server connected to said proxy server 
device from the 1st poor client device using the 1st certificate assigned to the 1st user account 
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relevant to the 1st poor client device. 
[0010] 

[Embodiment of the Invention]These of this invention and other features, the side, and an 
advantage are better understood about the following explanation, a claim, and an accompanying 
drawing. 

(The notation and a predicate) In the detailed explanation of following this invention, many 
concrete details are described in order to understand this invention thoroughly. However, it 
becomes clear for a person skilled in the art that this invention may be carried out without these 
concrete details. Next, in order to avoid that the method and procedure which were known well, 
a component, and a circuit make the side of this invention ambiguous, it is not explained in detail. 

[001 1]Most following detailed descriptions of the invention are performed about a procedure, a 
step, a logical block, processing, and other sign expressions similar to the data processing device 
linked to a network. Explanation and expression of these processings are a means to use it in 
order that a person skilled in the art may transmit the contents of the work to other persons 
skilled in the art most efficiently. This invention is a concentration certificate managerial system 
for the 2-way interactive communication device in data networks. The method explained in detail 
below is the sequence in which the process of reaching the result of a request, or the step 
carried out self^consistency. These steps or processes need the physical unit operation of 
physical quantity. Usually, although it is not required, in a computer system or an electric 
computing device, it is stored, and is transmitted and combined, and such quantity is measured, 
and is displayed, and the form of an electrical signal where other operations may be carried out 
can be taken. It turns out for the reason for generally mainly being used that it is sometimes 
convenient to call these signals a bit, a value, an element, a symbol, operation, a message, an 
item, a number, etc. It should keep it in mind that all these same terms are the convenient mere 
labels applied to such quantity in relation to suitable physical quantity in mind. If it is not 
specially stated to others so that clearly from the following explanation, The argument which let 
this invention pass and uses terms, such as "processing", "computing", "corroborating", or 
"displaying", The data expressed as the register of a computing device, and physical quantity in 
a memory, Meaning operation and processing of the computing device which is operated to other 
data similarly expressed as physical quantity in a computing device or other electric devices, and 
is changed into it is recognized. 

[0012](Introduction of a digital certificate) The digital certificate or certificate called digital ID or 
a security certificate sometimes, It is the information used by the secure socket layer (SSL) 
protocol for often being stored as a text file and establishing a connection safe for between the 
parties [ two ] on open data networks. In the simplest form, the certificate includes the public 
key and the name. Probably as what is used well, a certificate includes again the date of a term, 
the name of the certificate authority which published the certificate, a serial number, and other 
information. I hear that a certificate contains a certificate issuing person's digital signature, and 
the most important thing has it. A digital signature is the enciphered "fingerprint" which may be 
used in order to confirm the contents of the certificate. 

[001 3]a digital certificate — or a certificate is published by the certificate authority (CA) and is 
only signed using the secret key of CA. The format accepted most widely as digital ID is defined 
by international-standards CCITT X.509. Therefore, a certificate is written by the application 
based on CCITT X.509. The public-key-encryption art based on the pair of a public key and two 
related keys called a secret key is being used for a digital certificate. In public key encryption, 
those who want communication with the holder of the key pair can acquire a public key at 
anyone. A public key may be used in order to encipher the message which may be accepted and 
decrypted by checking the message signed by the secret key or using a secret key. Thus, the 
safety of the enciphered message is based on the safety of a secret key. A secret key must be 
protected from an unauthorized use. 

[0014]The pair of the key in a certificate is connected to a user name and other identification 
information. Netscape Navigator of Netscape Communication Inc. of California, Or if installed in a 
HTML browser like Internet Explorer of Microsoft Corporation of Washington, the certificate will 
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function as electronic credentials which the contacted site can investigate. This makes it 
possible to replace a password dialog for a digital certificate to sometimes restrict the 
information and service which need a seat, or access to a specific user. For example, when 
someone sends a message to a contractors website, the person signs the message, and in order 
to make the recipient of the message sure of surely the message being sent by the person, he 
includes digital ID. If the contractor receives the message signed in digital one, the signer's 
digital ID will be confirmed in order to determine that neither forgery nor an unjust expression 
has taken place. Generally, once a user acquires a certificate, the user can set up a web with a 
security function, or electronic mail application, in order to use the certificate automatically. 
Drawing 1 shows the authentication process which uses digital ID between a client and a 
contractor server. 

[0015]The safest directions for attestation include enclosing the certificate beyond one or it in 
each signed message. The addressee of the message checks a certificate using the public key of 
a certificate authority, is sure that it is a sending person's public key, and checks the signature 
of the message. Two or the certificate beyond it may be enclosed by the message, a hierarchical 
chain is made, and one certificate guarantees the certainty of a front certificate there. A 
certificate hierarchy's termination is a top-level certificate authority, and it is trusted without 
attestation there from what kind of other certificate authorities. The public key of the top-level 
certificate authority must be independently known by, for example, being published widely. 
Although in other words the sending person by whom the company name is known by the 
addressee should just enclose only one certificate (what was published by the company), the 
sending person by whom the company name is not known by the addressee can enclose two or 
the certificate beyond it. In order to make security advanced, it is a general method to enclose 
exactly sufficient certificate chain for the publisher of the highest level in a chain to be well 
known to an addressee. When there are many addressees, certificates enough since what each 
addressee needs is covered must be included. 

(Desirable embodiment) Here, in referring to drawings, the same number shows the same portion 
through the drawing. Drawing 2 shows the data networks 100 where this invention may be 
carried out. The data networks 100 generally consist of exhaust air net (airnet)1 02 called a 
wireless network and randnet (landnet)104 which are generally ground line (landline) networks, 
Each is a communication medium for the data communications passing through that. Since data 
communications are performed via the air in exhaust air net (airnet)102 and the exhaust air 
network 102 is controlled and managed by a career like AT & T or GTE, it is sometimes called a 
career network. Each career may have an original communication scheme like CDPD, CDMA, 
GSM, and TDMA in the exhaust air network 102. These are used by turns here and the randnet 
104 or the Internet may be the Internet, intranet, or other private networks. What is referred to 
by 106 is one of the mobile devices which are one mobile device, a cellular phone, a ground line 
telephone, or an Internet device controller, and are obtained, and can communicate with the 
exhaust air network 102 via the antenna 108. Although the exhaust air network 102 carries 
simultaneously communication of two or more 2-way communication devices, only only the one 
mobile device's 106 being shown in the figure is generally understood. 

[0016]Similarly, although two or more desktop personal computer (PCs) 1 10 and two or more 
server computers 112 are connected to the Internet 104, only only one example is shown in the 
figure respectively. As shown in a figure, PC1 10 may be personal computer SPL300 of NEC 
Technologies Inc., The HyperText-Markup-Language (HTML) web browser appears, and the 
browser, Via the Internet 104, a hypertext transfer protocol (HTTP) is used and the information 
stored in the web server which is a workstation of Sun Microsystems Inc. and is obtained is 
accessed. It is understood by the person skilled in the art that PC1 10 can store the accessible 
information for also becoming a web server. The proxy server computer 114 which 
communicates data by the meantime is between the Internet 104 and the exhaust air network 
102. The proxy server computer 1 14 is called a link server or a gateway server computer, may 
be a workstation or a personal computer and performs the function of mapping or translation 
again. For example, communications protocol mapping to others [ protocol / one ] can be 
performed, and, so, the mobile device 106 can communicate with one of each of server 112 or 
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[0017]One communications protocol which is used on the Internet 104 and which was known 
well, It is HTTPS which is a hypertext transport protocol (HTTP) or a secure version of HTTP, It 
operates on TCP, connection with the web server 1 1 2 of the HyperText-Markup-Language web 
browser in the server 114 known well or a HTML web browser is controlled, and exchange of the 
information on the meantime is controlled. HTTPS is supporting SSL most used in the 
communication attested by the safety between a HTML browser and a web server. The display 
well used in a HTML browser uses "https" before a universal resource locator or URL, and this 
shows that a SSL connection is established. It has a certificate in which the server side must be 
preferably attested by the other party in a SSL connection as for a side. And an each side 
enciphers in itself what transmits using the information from the side else or the certificate of 
both sides, It confirms that only the target addressee can decrypt it, the side else can be sure of 
data having come from the place which surely it shows, and the message is not altered. 
[0018]The communications protocol between the mobile device 106 and the proxy server 114 
through the exhaust air network 102 is a handheld computer device transport protocol (HDTP) 
or a secure uplink gateway protocol (SUGP), and preferably, It operates on a user datagram 
protocol (UDP), and connection with the proxy server 1 14 of a HDML web browser is controlled 
in the mobile device 106. Here, HDML means a handheld computer device markup language. Like 
HTML, HDML is a document language of a tag base and consists of a set of the command or 
statement specified in the card (card) which decides how information is displayed on the small 
screen of the mobile device 106. Usually, many cards are packed into the deck (deck) and the 
deck is the minimum unit of HDML information which may be exchanged between the mobile 
device 106 and the proxy server 114. HDML of the specification of HDTP of the title of "HDTP 
Specification" and the title of "HDML2.0Language Reference" is enclosed, and is referred to at 
the whole. Although HDTP is a protocol of the session level similar to HTTP, it does not 
undertake the overhead but is highly optimized by the use in the poor device with which 
computing power and a memory were restricted dramatically. UDP does not require the 
connection established between a client and a server, before being exchanged in information like 
[ in the case of TCP ]. So, using UDP makes the necessity of making many packets exchanging 
reduce between a client and the session setup between servers. It is the desirable feature that 
there are dramatically few packets exchanged between transactions, in order that a mobile 
device only with the dramatically limited computing power and a memory may communicate with 
a landline device efficiently. 

[0019]The mobile device 106 comprises the display screen 116 and the keyboard pad 118. Since 
the microcontroller and the hardware components containing ROM and RAM in the mobile 
telephone 106 are publicly known to a person skilled in the art, the details of hardware 
components are not explained here. The screen 116 and the keypad 1 18 are used and the user 
of the mobile telephone 106 can communicate the exhaust air network 102 top with the proxy 
server 114 interactively. According to one embodiment, it is compiled, and the process of linked 
this invention is stored in ROM as client modules, and operates the mobile device 106 with the 
proxy server 114. By activation by the predetermined key sequence which uses the keypad 118, 
the client modules in ROM are used for a microcontroller, and it initializes the communication 
session demand to the proxy server 114. If a communication session is established, typically, the 
mobile device 106 receives the one HDML deck from the proxy server 114, and stores the deck 
in RAM as cash. The HDML deck consists of one or a card beyond it, and each card includes the 
information demanded in order to generate a screen display on the display screen 116 as 
mentioned above. The number of the cards in a card deck is chosen in order to promote efficient 
use of the resource in a mobile device and the exhaust air net network 102. Generally, one of 
cards is a selection card, it shows the sequence of the website visited frequently, and makes a 
user choose one, and the communication session which was safe and was attested establishes it 
with a proxy server. In order to make such a communication session establish, the process of 
using a certificate is explained below. 

[0020]This invention which acts on other portions or component in data networks, and mutual is 
shown in drawing 3. Three expressions of two or more mobile devices connected to the exhaust 
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air network 102 are referred to by 302, 304, and 306, and refer to three expressions of two or 
more ground line devices connected to the randnet 104 for 310, 312, and 314 similarly. It is the 
proxy server 114 in drawing 2 , and the proxy server device 128 to obtain connects the exhaust 
air network 102 to the randnet 104. Therefore, any mobile devices can communicate with a 
ground line device via the exhaust air network 102, the proxy server 114, and the randnet 104. In 
order to give explanation of this invention easy, the composition inside the mobile device 302 
and the link server 1 14 is shown, respectively. Since other processes and hardwares are publicly 
known to a person skilled in the art, they do not show in detail for intelligibility. 
[0021]The device ID 316 is assigned to each mobile device like the mobile device 302. The 
device ID 316 may be the combination of a telephone number, and an IP address and a port 
number, for example, 204.163.165.132:01905. here, 204.163.165.132 is an IP address — 01905 is 
a port number. Further, in relation to member ID318, the device ID 316 is attested by a career in 
the proxy server 1 1 4 as a part of procedure of activating the mobile device 302, when member 
ID318 makes the user account 324 establish in the proxy server 114. Member ID318 can take 
the form of 861234567-10900jjn.mobile.att.net by AT&T Wireless Services, for example. Member 
ID318 is an identifier of a meaning of the mobile device 302. In other words, each mobile devices 
302, 304, and 306 have a device ID of each meaning corresponding to member ID which shows 
each user account in the proxy server 1 14. It is recognized for a person skilled in the art that 
the following explanation is applied like two or more mobile devices with which the explanation 
communicates simultaneously with the proxy server 114 based on the mobile device 302 and the 
related account 324. 

[0022]The account 324 is a data structure which device ID 316 or member ID318 points, is 
identified by address identifier like URL, and consists of User Information 322, the certificate list 
320, and the secret-key list 326. Here, User Information 322 includes the information relevant to 
other account like account composition, and a user name and a password. URL of account can 
take the form of www.att.com/Pocketnet , for example, and this shows that the exhaust air 
network 102 is employed by AT&T Wireless Services. Pointing, the secret-key list 326 is 
equivalent to whether the certificate list 320 includes the list of specified certificates which 
were published by one or CA beyond it, and each certificate [ in / including the list of keys / in 
each key / the certificate list 320 ]. All the certificates in the certificate list 320 are exclusively 
connected with specific account. Generally, the proxy server 114 holds a majority of such user 
accounts in the database 328, and each user account is connected with each mobile device 
which joined the same career and has received service with the proxy server 114. Since the 
certificate is connected with account, respectively, it may be recognized that the certificate in 
one account differs from the certificate in other account. 

[0023]In order to acquire a certificate from CA and to generate the group of a secret key and 
the key of a public key, in the usual full power desktop computer, it takes remarkable long time. 
In order to make the length of time to acquire a certificate using a mobile device into the 
minimum, (Certificate administrative module (certificate manager module)) CMM342 a certificate 
database, It holds in the database 328 preferably and the list of certificates published although 
not specified called the free certificate from one or a different CA is held. In order to activate 
the mobile device which needs one or the certificate beyond it in order to access the web server 
which needs a certificate, Whenever a user account is created, in order that a certificate 
requirement signal (certRequest) may acquire a required certificate from a certificate database, 
it is sent to CMM342. If the certificate acquired from the certificate database is received, 
CMM342 will assign a certificate to specific account by adding the device ID 316 and other 
account information. So, the acquired certificate is connected to specific account and placed by 
the certificate list 320. With [ below a certain value with which CMM counts the number of 
usable free certificates in a certificate database, and the number is called a threshold in the 
meantime ] 200 or less, It acquires a new free certificate and fills a certificate database until 
CMM calls the HTTP module 330, establishes suitable CA and connection via the randnet 104 
and reaches a threshold. In order to make it such and to carry out the emergency of the free 
certificate which can be immediately used for new account to a certificate database, it is usable 
in always enough free certificates. 
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[0024]It differs from the conventional method of acquiring a certificate in the local device which 
usually has sufficient computing power, Unlike the conventional method of storing physically, a 
user account to a local device this invention, Using the computing power of a proxy server, in 
order to perform the task which acquires a certificate asynchronously, and holding the certificate 
in a user account to the proxy server may be recognized by the person skilled in the art here. 
Managing a certificate in a proxy server for all the users carries out possible [ of a client 
accessing a safe website, without requiring additional computing power and memory ]. Other 
advantages will be recognized in the following explanation. 

[0025]A certificate is published by CA which is the trusted central control which guarantees the 
identity of the point published using the key which was able to give the certificate and the thing 
relevant to it, and is obtained. For example, a company or a university publishes a certificate to 
the employee and student of itself. Since the mobile device 302 corresponds to the necessity of 
acquiring a certificate from CA, in addition to the thing of the point from which CMM342 acquires 
a free certificate, the server module 340, A user is made to log on to the user account 324 
relevant to the mobile device 302 via a computer like PC314 for example, it was connected to 
the randnet 104. This is attained by logging on to the user account 324, for example using the 
address identifier of the user account 324 like www.att.com/Pocketnet . In order to check that 
the account 324 is accessed by the authorized user, the group of credit records like a user name 
and a password is required. If a user connects PC314 to URL using 

http://www.att.com/Pocketnet, a user name and a password will be urged to the server module 
340 via the HTTP module 330. The input of the group of the user name which matches, and a 
password is accepted as permission for accessing the account. 

[0026]In order to give pliability and security to account, a user name and a password are 
thoroughly managed by the user. The user of the mobile device 302 can access the device 
account 324 in the proxy server 114 using the mobile device 302 provided with the HDML 
browser. If URL of account is got to know, in order for a user to make the demand which 
becomes the client modules 332 from URL and the device ID 316 transmit to the UDP interface 
336, Pressing a predetermined key, the UDP interface 336 establishes the communication 
session to the proxy server 114 next using HDTP. It is received by the corresponding UDP 
interface 1 28 in the proxy server 1 1 4, and the demand is performed with the server module 340, 
in order to investigate whether the device ID is permitted. And the proxy server 114 checks the 
demand of a user name and a password using the answer transmitted to the mobile device 302. 
From a user, do not require the answer but the user name for permitting access to account, and 
the group of a password in practice, Permission of access to account was obtained by 
coincidence with the device ID 316 in the demand from the mobile device 302, and the device ID 
in which the account 320 in the proxy server 114 was stored. 

[0027]Instead, the answer permits that a user sets up account by himself by inputting the group 
of a new user name and a password. The account 320 reception of the group of a new user 
name and a password will update the account 322, i.e., User Information. After the procedure of 
setting out by oneself, a user has desirable sufficient computing power, uses PC314 [ provided 
with the HTML browser which got used more ], and can establish a communication session using 
HTTP and URL to account. The user name and password which were newly set up are entered 
into PC314 when urged, and they are sent to the proxy server 1 14 by a packet format using 
HTTP. In the proxy server 114, HTTP server 330 extracts a user name and a password, and the 
server module 340 performs a recognition check using User Information 322 in a memory. If the 
user name and password which were entered are in agreement, it will be recognized and it will be 
permitted that user or PC314 accesses the account 324. Here, the user can demand a 
certificate from specific CA and can update the certificate list 320 and the key list 326. The 
process of acquiring a certificate from CA using a HTML browser is publicly known to a person 
skilled in the art, therefore is not explained to him here. A user can make a certificate if needed 
[ the ] with the function which he sets up by himself in addition to the function provided by 
CMM, trusting a proxy server, in order to maintain all the certificates specified as the mobile 
device 302. 

[0028]The example which requires a certificate from CA of user specification [ the user of the 
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mobile device 302 ] is shown in drawing 3 , drawing 4, and o^wing_5. After a predetermined key is 
pressed, the mobile device 302 uses HDTP and performs the demand for connecting with the 
proxy server 114 using URL of the account which shows mobile dev.ce:302861 23456 
10900_pn.mobile.xyz.net. It checks that the device ID 86123456-10900 has the account : 324 
which is extracted from the demand and shown by the same device ID 86123456-10900 In a 
check the group of a user name and a password is demanded from the user of the mobrie device 
302 A user name and a password are not information required in order that the mobile device 
302 may access the account 324, and it explained that it is what obtains the perm.ss.on in which 
a user manages a user name and a password. If a user does not enter a new user name and 
password, the user name and password in the user account 324 are still the > same a user ■na me 
and a password with a new user, for example, a user name, - the account 324 will be updated 
by a new user name and password if the group of "Smith", password 123456 is inputted. Here, 
the user can go to any computers in the randnet 104, in order to operate the account 324 
PC314 is provided with the HTML browser which provides all the graphical user interfaces for 
making the account 324 operate it efficiently by a user. PC314 uses URL of the gateway 354 in 
the server module 340, for example, mobile.xyz.net, and establishes the HTTP connection to all 
the user accounts in the proxy server 114. The group of a user name and a password is 
demanded from a user in PC314. "Smith" must be inputted as a user name and the user has to 
input "123456" as a password, in order to pass the gateway 354. If the user name and password 
which were entered are received, the gateway 354 compares with the thing in the account 324. 
In the case of a mismatch, PC or a user is not permitted access to the account 324. » *• "f^ 
name and password which were entered are in agreement with the thing in the account 324 the 
gateway 354 will give permission to PC314. By giving URL of specific CA358.J the .user of PC314 
can use a HTML browser, in order to require a specific certificate from specific CA358, and he 
can put a certificate on account for the mobile device 302 to be used. 

[0029]According to one embodiment of this invention, a certificate list may be mounted as a 
pointer to the certificate table 368. As shown in drawing_5. the flexible capacity of a certificate 
list being provided is recognized for a person skilled in the art by using a pointer. The certificate 
index 370 provides the space which stores corresponding URL list 372 relevant to URL for all 
the certificates and the certificate specially demanded in the certificate index 370. There are 
some service websites in which a certificate is received from a certain CA For example the 
website of the finance identified by www.financial.com takes only the certificate signed by CA 
S1 By setting up account by oneself, especially the user can demand the certificate from CA SI 
and can put the certificate on the certificate table 368. In next use, the mobile device 302 
transmits the demand for establishing the connection to www.financial.com . If the demand which 
consists ofwww.financial.com is received by the proxy server device 1 14 .URL will be used in 
order to acquire a corresponding certificate and certificate according to CA S1 in this case. The 
mobile device 302 can be accessed to the web identified by www.financial.com using the 
certificate by CA SI. Generally, the certificate 382 acquired by CMM342 is a general thing thing 
accepted on many websites, and has not carried out specific URL and relation Many specific 
certificates in which in other words the certificate table 368 is specially demanded by the user 
and which are referred to by 376. 378, and 380, It may have a common certificate beyond one or 
it which is automatically acquired by CMM342 and which is referred to by 382. 
r0030l Drawing 6 is a block diagram of various components in CMM342. As mentioned above 
CMM holds the free certificate of a fixed number to a certificate database, and shortly after the 
number of the free certificates in a certificate database becomes smaller than a threshold, it will 
begin to acquire a new certificate from CA through HTTP server 330. Refer to the certificate 
engine which manages operation of other components in CMM342 for 402. Activation of the 
mobile device 302 will require the account as loading one or the certificate beyond it. After a 
free certificate is acquired from a certificate database, when it discovers that the number of the 
usable free certificates in a certificate database is below threshold different, the engine 402 
makes the identifier generation machine 404 or DN generation machine generate the formula 
alias of a meaning accumulated in the new certificate generated. 

[0031]An identifier is a name of the standard format in CCITTX.509 standard. An identifier 
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consists of one or a related identifier beyond it, and each related identifier consists of one or an 
attribute value opinion beyond it (attribute-value assertion). Each attribute value opinion 
consists of an attribute identifier and corresponding value information, and is CountryName 
(name of a country), for example. = US, They are Organization = (organization) XYZ, Inc, or 
OrganizationUnit(organization unit) = XYZ Service Division. Use of an identifier is for identifying 
the element in an X.500 directory tree, and since the "white page"-person for the Internet, a 
computer, service, and the directory of an e-mail address are mounted, the directory tree is 
used here. The directory is constituted hierarchical. That is, the top has an international 
organization and a country, a country is divided into a state or rural areas, and it is divided by 
further various methods. A related identifier is a path from one node in a directory tree to a low- 
ranking node. The whole identifier traverses the path to the node of the finally a specific element 
is expressed from the route of a tree. The goal of a directory is providing the base^ which names 
all the communication elements in the Internet at a meaning, and, so, "is identified" in an 
identifier. 

[0032]In order to confirm that the identifier generated with the identifier generation machine 404 
is related with a user name after all, the identifier prefix generation machine 406 generates the 
prefix for the identifier. The prefix is generally combination with a time stamp and member ID, for 
example, it is 861765228-9, a time stamp shows when the certificate demand was made, and 
member ID is assigned to a mobile device when activated. The identifier from the identifier 
generation machine 404 must be a meaning using the prefix from the identifier prefix generation 
machine 406. In other words, a means certificate has a name of itself each one in a certificate 
database, and all the names must be identified. 

[0033]The certificate engine 402 uses the key pair generation machine 412 or KP generation 
machine, in order to generate the pair of a public key and a secret key. It is performed by using 
the set of the document library facility which generates a secret key based on the public key 
generated using the information used as the basis supplied. In order to follow an industrial 
standard, the set of the library used in the key pair generation machine 412, It is supplied by 
Marine Parkway, Suite 500, Redwood City, RSA Data Security that has an address in CA 94065, 
and Inc. The generated key takes the form of a sequence of a binary number like 
11 10101 100001. ..00101, and it does not generally lap, without getting to know the sauce which 
generates them. In order to generate the secret key of a meaning, and the pair of a public key, 
the random number as sauce must be provided according to the set of a library. It is understood 
by the person skilled in the art that there are many methods of obtaining a random number. One 
of the methods generally used is the method of generating a random number through the one- 
way hash function from network traffic information from the sauce of the noise which may be 
hard-code-ized. One way means that one direction (direction of movement) can be performed 
very more easily than an opposite direction (opposite direction), and it becomes impossible to 
obtain a secret key from a public key thereby. As for such one example of a hash function, a 
certain number of times applies the value of itself, and it performs modulo operation 
continuously. 

[0034]The certificate engine 402 creates the new entry for the certificate in a certificate 
database, A secret key corresponding from a key pair is stored in the new entry, and in order to 
generate a certificate signature demand or CRS, the public key obtained from the identifier and 
the key pair generation machine 412 which were generated is used for the certificate engine 402 
in the meantime. CSR is a standard format of the public presentation for requiring a certificate 
from CA. CSR divides and includes the identifier relevant to the public key proved by CA and its 
public key. CSR is the binary block of the data packed in the certificate demand by standard 
format, and is transmitted to CA through the HTTP module 330 using HTTP. 
[0035]If a certificate demand is received, CA will check the provided information and will prove 
the justification of a user s public key with other information by signing a certificate. And CA 
publishes a certificate response. There, the signed certificate or error may be included. When a 
certificate response includes an error, what the demanded certificate failed in this is meant, and 
a new process must be started. When a certificate response comes on the contrary from CA, 
the certificate engine 402 extracts an identifier from the received certificate, and updates the 
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corresponding entry in a certificate database through the certificate storing library 408. At this 
time, that entry contains the signed certificate in which the public key was embedded, and a 
corresponding secret key. It is referred to as a free certificate. 

[0036]Activation of the mobile device 302 will advance the demand for generating the certificate 
for a device. The certificate engine 402 acquires a free certificate from a certificate database, 
and relates it with a device ID. The correlation is performed by creating an entry in a separated 
temporary table which is called device_cert_map_tbl and which is in RAM of the proxy server 114 
preferably. 

[0037]The certificate storing (CS) library 408 or CS library is used in order to manage a 
certificate database, and it sometimes receives a certificate abolition list from CA. A certificate 
abolition list (CRL) is a list of certificates abolished before the expiration day of a schedule. A 
certificate must be abolished why and there are some reasons whether to be put on CRL For 
example, possibly the key specified in a certificate may have been harmed and the user specified 
in a certificate may not have any longer the authority to use a key. In details, the user name 
relevant to a key more. It is "a vice president of a XYZ company, Mr. Smith,", and probably, the 
company does not want him to sign a message by the key, when Mr. Smith leaves the company. 
Therefore, the company puts CRL on a certificate. When checking a signature, CRL related in 
order to confirm whether the signer's certificate is abolished can be checked. Whether it is 
worthy of balancing the time for performing this check depends on the importance of the signed 
document. CRL is held by CA and provides the information about the abolition certificate 
published by CA. However, since it is not accepted in any cases, the invalid certificate is listing 
only the certificate in which CRL is effective now. When the abolished certificate passes over 
the expiration date of the origin of it, it is removed from CRL. Although CRL is distributed and it 
is held, there may be concentration storage space of CRL and it is a network site containing the 
newest CRL from many organizations. 

[0038]The certificate library 408 receives such CRL, and if the certificate currently maintained 
by CMM342 is in a list, it will report that it processes in the certificate engine 402. CMM342 
maintains the certificate database which has a free certificate of a fixed number. When CMM342 
relates the certificate from a certificate database with a user account, the associated certificate 
must be effective. This is guaranteed by investigating CRL first through the CS library 408. If the 
certificate acquired from the certificate database is on CRL anyhow, the acquired certificate will 
be thrown away and the following certificate will be acquired from a certificate database. 
Collation investigation of the acquired certificate using CRL is always performed in the CS 
library 408, before the acquired certificate is connected with account, the collation investigation 
using CRL — **** with comprehensive ****** — things are understood by the person skilled in 
the art. The all of the time or computational complexity concerning the collation investigation are 
as asynchronous as the mobile device 416, and since it carries out within the proxy server 114, 
it is permissible irrespective of the length of CRL. 

[0039]According to the embodiment of the invention, the source code list of supplementary 
expresses the operation in CMM. The TCertEngine object and call which were initialized by the 
function named Initialize which generates the thread which needs a mainO function in order to 
serve the demand of an HTTP client base are created. The thread which monitors the certificate 
in a certificate database is also made. If the thread is created, it monitors a possible resource, 
and in order to generate a certificate, it will call GenerateCert in TCertHttpProto. This thread 
uses TDBCertPool, in order to generate the new entry in a database for a certificate pool. 
[0040]A GenerateCert function acquires a new identifier from an identifier generation machine. It 
acquires the group of new public presentation/secret key from a key pair generation machine 
again. GenerateCert used this information, in order to build CSR. And it uses the SendCSR 
method in THttpCertRequest and publishes the demand to CA on HTTP. If a certificate response 
is returned from CA, the entry in a free pool will be updated using TDBCertPool. 
[0041 ]If a free certificate needs to be related with a user account, the HandleCreateCert 
method in TcertCreateCallback will be called. And the method calls the function in 
TDBDeviceMap, in order to create the new entry in device_cert_map_tbl. And a response is 
returned to the called side. A recurrence line thread and TCertReissueThread call ReissueCert 
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in TcertHttpProto, in order to carry out the recurrence line of the certificate. It calls the method 
on TDBCertPool to TDBDeviceMap, in order to abolish the certificate relevant to the certificate 
and device in a free pool. 

[0042] Dr awing "Land drawing 8 show the operation flow chart of the concentration certificate 
managerial system of this invention, and should be understood together with drawing 3, drawing 
4, and drawing 5 . This invention is compiled, and the linked process is loaded to the proxy server 
502, and carries out concentration certificate management to the proxy server 502. Generally, a 
proxy server is sufficient computing power and memory the server computer or device which it 
had, and to the device. The application which service to other computing devices is made is 
carried in the device, therefore the application is generally called a server, and the device itself 
is called a server device here. The computing device of this invention is a poor device which are 
a mobile device, a cellular phone, and an Internet device controller, and is obtained. 
[0043]CMM324 makes the server device 502 maintain the certificate database preferably stored 
in the local storing driver in the server device 502 in 504. The certificate database holds the free 
certificate of the fixed number which has not been related with the user account or the poor 
client signed by CA yet. By maintaining an usable free certificate immediately in a database, the 
poor client does not have remarkable time delay, does not have the addition of computing power 
and a memory, and can acquire a related certificate. The number of usable free certificates is 
counted in 506. If the number falls off, the step which acquires a new certificate will begin in 510. 
It should be understood that the number of the free certificates in a certificate database 
sometimes falls off by renewal of a certificate in 508. in order to relate with a user account and 
to check that the certificate carried out is always effective, the CS library 408 updates the free 
certificate in a certificate database constantly according to the update message of the 
certificate received from CA or the storage site used well. The message of the certificate may 
comprise CRL or an insert/delete query, some free certificates are made to be thrown away into 
CMM324, and, thereby, the number of free certificates decreases. By any cases, CMM324 tries 
to maintain the level of the free certificate in a certificate database by acquiring a new 
certificate from CA. In [ if the process of acquiring a new certificate begins ] 510 and 512 first 
CMM324, By calling DN prefix generation machine 406 and DN generation machine 404, the 
identifier for a new certificate is acquired and KP generation machine 412 for generating the 
group of a secret key and a public key in 514 is called. In 516, a certificate demand is formed in 
order to include CSR which consists of a generated identifier and a public key. In 518, CMM342 
communicates with CA via HTTP server 330 using HTTP. If a certificate demand is received, CA 
will attest the validity of a public key with other information by signing a certificate, a certificate 
response will be returned to CMM342, and the signed certificate will be drawn up by 520. The 
signed certificate is deposited in a certificate database as a free certificate in 522. Logically, the 
number of free certificates is increased every [ 1 ] (**************ing), and is compared with a 
fixed number or a threshold. When the number which it **************ed is still below a 
threshold, the process of acquiring a new certificate is repeated from 510 until the number of 
the free certificates in a certificate database reaches a threshold. 

[0044]In the meantime, CMM342 maintains two or more user accounts in 536, and those account 
is preferably assigned to one poor client, respectively. Each account has one or the certificate 
beyond it which related to the account exclusively. If a poor client is activated in order for the 
server device 502 to receive service, a new user account will be established by eye others in 
538. As mentioned above, the user account can consist of a device ID, member ID, User 
Information, a certificate list, and a secret-key list. A device ID is information which helps to 
recognize to which poor client device the server device 502 gives its service, and if poor 
information is activated, it will be inputted. User Information includes the information about the 
account composition and service which a poor client needs. Member ID, a certificate list, and a 
secret-key list are obtained when a certificate is related with it. The demand for acquiring a 
certificate is created in 540. When a demand is received in 542, CMM342 acquires an effective 
free certificate from a certificate database, and relates a free certificate with account. 
[0045]This invention contains the method of setting up by oneself. Especially the user can try 
setting out by himself, as shown in Step 544 in drawing 8. When the trial logs on to account in 
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the first place, it is accessing a user account. When a user logs in using the poor client device 
which has a device ID, access is corroborated immediately. When a user logs in using PC linked 
to the Internet, the user has to enter a present user name and password shortly. After acquiring 
access, the user can change a user name and/or a password at Step 572. a user — and in 
578 — a user — in order to require a certificate from specific CA, account can be accessed 
from a poor client or other computing devices. 

[0046]After a poor client is activated by building the account which has one or a certificate 
beyond it in the server device 502, the poor client, It is safe, and the attested communication 
session is establishable in order to perform some safe websites and secret communication. In 
550, the server device 502 receives a session request from a poor client, in order to establish 
the communication session which was safe and was attested with the website identified by URL. 
In order that the server device 502 may recognize a poor device and may attest such a demand 
as a result, the session request consists of a device ID of a poor client. In 552, a device ID is 
extracted from a session request and compared with the device ID in a user account. If a device 
ID is in agreement, a poor device will be attested and will be further investigated for every 
corresponding account. In 544, the certificate in the congruous account is acquired and it 
includes in the session request sent to a desired website using HTTPS. In 558, attestation 
between the websites linked to a poor client is performed by investigating a partner's proof 
eponym, respectively. If each certificate is trusted, a session key arises from there as a result, 
and it will be used in order to encipher the information exchanged between the poor client and 
website. 

[0047]This invention had a certain detailed grade, and was explained in detail enough. The 
indication of this embodiment is made only via an example and it is understood by the person 
skilled in the art that a great change [ in / in a step / the arrangement and combination of a 
portion ] may be made without separating from the pneuma and the scope of this invention by 
which the claim was carried out. Therefore, the scope of this invention is defined by the 
attached claim rather than explanation of one embodiment. 

[0048](Reference of a microfiche appendix) The Appendix A which is a part of indication of this 
invention is a microfiche appendix which consists of two sheets which have 1 84 frames by all of 
the titles "the concentration certificate managerial system for the 2-way communication device 
in data networks." The microfiche appendix is a source code list of one example of the 
concentration certificate managerial system for the 2-way communication device in the wireless 
data networks of this invention, and is more nearly thoroughly explained in the above. 
[0049]The portion of an indication of this patent document is the target of copyright protection, 
and although it contains Appendix A, and B and C, it contains the material which is not limited to 
this. If a copyright holder has it in the patent file of the patent trademark agency, or record, he 
does not have a reason for opposite in the facsimile duplicate by any persons of this patent 
document or a patent indication. However, when other, a copyright holder holds all copyrights. 
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* NOTICES * 

JPO and INPIT are not responsible for any 
damages caused by the use of this translation. 

"I.This document has been translated by computer. So the translation may not reflect the original 
precisely. 

2.**** shows the word which can not be translated. 
3.1n the drawings, any words are not translated. 



DESCRIPTION OF DRAWINGS 



[Brief Description of the Drawings] 

[Drawing 1] It is a figure showing the model of how a certificate is used between the servers of a 
client device and a contractor. 

[Drawing 2 ]It is a figure showing the mobile-data network with which this invention may be 
carried out, and which consists of an exhaust air network and a randnet. 
[Drawin g 3] It is a figure showing this invention which has a dialog with other portions and a 
component in data networks. 

[Dra wing 4] It is a figure showing the example as which the user of a mobile device demands a 
certificate from CA which a user specifies. 

[Draw i ng 5] It is a figure showing the example as which the user of a mobile device demands a 
certificate from CA which a user specifies. 

[Drawing 6] It is a block diagram of various components in the authentication module of this 
invention. 

[D rawing 7] It is an operation flow chart which shows the process and procedure for managing a 
certificate in a server device on data networks for a poor client. 

[Dr awing 8] It is an operation flow chart which shows the process and procedure for managing a 

certificate in a server device on data networks for a poor client. 

[Description of Notations] 

100 Data networks 

102 Exhaust air network (airnet) 

104 Randnet (landnet) 

108 Antenna 

106, 302, 304, and 306 Mobile device 

110 Desktop personal computer 

112 Server computer 

114 Proxy server computer 

116 Display screen 

1 1 8 Keyboard pad 

128 UDP interface 

310, 312, and 314 Ground line device 

316 Device ID 

318 Member ID 

320 Certificate list 

322 User Information 

324 User account 

326 Secret-key list 

328 Database 328 

330 HTTP module 

332 Client modules 

334 Memory 

336 UDP interface 
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340 Server module 

342 CMM 

354 Gateway 

356, 358 CA 

368 Certificate table 

370 Certificate index 

372 URL list 

374, 376, 378, 380, and 382 Certificate 
402 Certificate engine 
404 Identifier generation machine 
406 DN prefix 

408 Certificate storing library 
410 Certificate demand module 
412 Key pair generation machine 
414 Seed generation machine 
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